An effective internal audit program is one of the most critical — and most underestimated — components of a mature compliance program. This guide establishes a structured, risk-based approach for conducting internal audits of an Information Security Management System (ISMS) and associated operational, technical, and compliance controls, aligned with ISO/IEC 27001:2022 Clause 9.2 and SOC 2 Trust Services Criteria.
Purpose of Internal Audits
Internal audits are designed to:
- Verify the effectiveness of controls implemented as part of your ISMS and SOC 2 compliance programs
- Ensure ongoing conformity with ISO/IEC 27001:2022 and SOC 2 requirements
- Identify nonconformities, control weaknesses, and improvement opportunities before external audits
- Provide senior management with objective assurance regarding the performance and maturity of the security program
Scope of the Audit Programme
The internal audit programme should cover all relevant functions and domains, including:
- Information security policies and controls
- IT operations and infrastructure management
- Asset and access management
- Risk management and vulnerability handling
- Incident management and business continuity
- Vendor and third-party risk management
- Privacy and data protection practices
- Human resources and onboarding/offboarding
- Physical and environmental security controls
Key Roles and Responsibilities
| Role | Key Responsibilities |
|---|---|
| CISO | Owns the audit programme, reviews high-risk findings, reports outcomes to senior management |
| Audit Lead | Plans and coordinates audits, ensures impartiality, reviews reports and follow-up activities |
| Internal Auditor | Conducts audits objectively, collects evidence, identifies nonconformities, prepares reports |
| Auditee (Process Owner) | Cooperates fully, provides access to evidence, addresses nonconformities through corrective actions |
| Risk & Compliance Team | Maintains audit calendar, nonconformity register, and corrective action tracker |
| Executive Management | Reviews critical findings, approves corrective action plans, drives accountability |
Core Audit Principles
- Objectivity — Findings must be based on facts, not assumptions
- Evidence-based approach — All findings supported by verifiable, sufficient audit evidence
- Independence — Auditors must not audit their own work or areas of direct responsibility
- Risk orientation — Audit focus prioritized based on process criticality, control maturity, and past incidents
- Confidentiality — All audit data and findings handled confidentially
Audit Planning
An annual Internal Audit Programme should be developed and approved by the CISO or ISMS Steering Committee. Audit frequency and coverage should be determined based on business criticality, regulatory obligations (ISO 27001, SOC 2, DPDP Act), results from past audits, and known or emerging risks. High-risk or high-impact areas may be audited more frequently. No control or process within the ISMS scope should remain unaudited for more than 12 months.
Ad-hoc audits may also be initiated in response to major security incidents, whistleblower complaints, regulatory inquiries, or significant organizational changes.
Types of Audits
- Process Audits — Evaluate control implementation in a specific department or process
- Thematic Audits — Focus on specific control domains (e.g., access control, patch management)
- Compliance Audits — Assess conformance with ISO 27001, SOC 2, or DPDP
- Technical Audits — Review systems and configurations against hardening standards
- Follow-up Audits — Re-assess closure of previous findings or corrective actions
Audit Execution
Auditors use a combination of methods to gather sufficient evidence:
- Interviews — Discussions with personnel responsible for controls
- Documentation review — Evaluation of policies, procedures, and logs
- Observation — On-site or virtual observation of processes in action
- Sampling — Review of representative transactions, logs, or records
- Technical validation — Direct verification of access controls, system settings, and configurations
Nonconformity Classification
| Classification | Definition | Examples |
|---|---|---|
| Major Nonconformity | Complete or systemic failure to meet a control requirement, exposing the organization to significant risk | Missing access reviews, no documented risk assessment, repeated unresolved findings |
| Minor Nonconformity | Partial or isolated lapse that does not pose immediate high risk | Outdated procedure with minor deviation, delayed logging of backup verification |
| Observation / OFI | Noted weakness or inefficiency that may impact long-term performance or audit readiness | Inconsistent ticket tagging, no periodic review tracker for awareness training |
Corrective Action & Follow-Up
For each Major or Minor nonconformity, the assigned process owner must develop a Corrective Action Plan (CAP) within 10 business days of the audit report. The CAP must include the corrective action to be taken, the responsible person, a target date, and supporting evidence required for closure. Overdue CAPs should be escalated based on how long they've been outstanding.
| Overdue Duration | Escalation Level |
|---|---|
| 0–15 Days | ISMS Manager / Risk & Compliance |
| 16–30 Days | CISO / Department Head |
| >30 Days or Repeat Delay | Executive Sponsor / Risk Committee |
Audit Records & Retention
All audit records — including audit programmes, plans, checklists, evidence, reports, CAPs, and follow-up documentation — must be retained securely for a minimum of five years, or longer if required by regulatory or contractual obligations. Records must be stored in a secure, access-controlled repository and must not be altered post-factum except to correct clerical errors with a documented change log.
An internal audit is only as valuable as the corrective actions it drives. Treat findings as opportunities to strengthen your security posture — not just compliance checkboxes.
Need help structuring your internal audit programme?
SecComply helps organizations design and execute risk-based internal audit programmes aligned with ISO 27001 and SOC 2 requirements.
Book Free Consultation →